DOM Based Cross Site Scripting(XSS) vulnerability Tutorial

So far i have explained about the Traditional Cross site scripting that occurs because of insecure server-side code. In this post , i am going to explain the DOM Based Cross Site Scripting vulnerability. if you don't know what is cross site scripting , then i recommend you to read the basics from here.

Before explaining about the DOM based xss, let me explain what DOM means to.

What is DOM?
DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.

Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.

Here is a very simple HTML code that accepts and writes user input using JavaScript with the help of DOM.

<html> 
<head>
</head>
<body>
     <script>
var pos=document.URL.indexOf("BTSinput=")+9;  //finds the position of value 
var userInput=document.URL.substring(pos,document.URL.length); //copy the value
into userInput variable
document.write(unescape(userInput)); //writes content to the webpage
  </script>
</body>
</html>

If you know HTML and Javscript, understanding the above code is a piece of cake.

In the above example, the javascript code gets value from the url parameter "BTSinput" and writes the value in our webpage.

For example, if the url is
               www.BreakThesecurity.com/PenTesting?BTSinput=default
The webpage will display "default" as output.


Did you notice ?! The part of the webpage is not written by Server-side script.  The client side script modifies the content dynamically based on the input.   Everything done with the help of DOM object 'document'.

DOM Based XSS vulnerability:
When a developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code.

In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url.

An attacker with malicious intention can inject a xss vector instead .  For example:

www.BreakThesecurity.com/PenTesting?BTSinput=<script>alert("BreakTheSec")</script>




As i said earlier, the document.write function simply writes the value of BTSinput parameter in the webpage.  So it will write the '<script>alert("BreakTheSec")</script>' in the webpage without sanitizing.  This results in running the script code and displays the alert box.

 Patching the DOM Based Cross Site Scripting Vulnerability
Audit all JavaScript code in use by your application to make sure that untrusted data is being escaped before being written into the document, evaluated, or sent as part of an AJAX request. There are dozens of JavaScript functions and properties which must be protected, including some which are rather non-obvious:

The document.write() function
The document.writeln() function
The eval() function, which executes JavaScript code from a string
The execScript() function, which works similarly to eval()
The setInterval(), setTimeout(), and navigate() functions
The .innerHTML property of a DOM element
Certain CSS properties which allow URLs such as .style, .backgroundImage, .listStyleImage, etc.
The event handler properties like .onClick, which take JavaScript code as their values

Any data which is derived from data under the client's control (e.g. request parameters, headers, query parameters, cookie names and values, the URL of the request itself, etc.) should be escaped before being used. Examples of user-controlled data include document.location (and most of its properties, e.g. document.location.search), document.referrer, cookie names and values, and request header names and values.

You can use the JavaScript built-in functions encode() or encodeURI() to handle your escaping. If you write your own escaping functions, be extremely careful. Rather than using a "black list" approach (where you filter dangerous characters and pass everything else through untouched), it is better to use a "white list" approach. A good white list approach is to escape everything by default and allow only alphanumeric characters through.

Reference:
http://www.rapid7.com/vulndb/lookup/http-client-side-xss 

About The Author

Salman Rafiq
Salman Rafiq is the Founder of 'My Basic Tricks'. I am a Security Researcher and Ethical Hacker, with experience in various aspects of Information Security and Other then I am SEO expert and a Blogger. My all efforts is to make internet more Security..

2 comments:

  1. AnonymousNovember 16, 2016 at 10:35 AM

    Hello everyone, I have tried blackhatservers@gmail.com and i have confirmed her good work among all of this hackers out there ,she helped me hack my cheating partner whatsapp, facebook and cell phone number. I listened to all his calls and I was able to get good evidence for my attorney for divorce. It was really a big surprise to me but glad I gave a try. Contact her for similar issues on blackhatservers@gmail.com and
    consider your big problem solved

    ReplyDelete
  2. BrackettjamesSeptember 3, 2019 at 11:59 PM

    CYBER HACKS
    How well are you prepared for a Cyber incident or Breach?, Is your Data safe?
    Strengthen your Cybersecurity stance by contacting ALEXGHACKLORD,HACKS for a Perfect, Unique, Classic and Professional Job in Securing your Network against all sort of Breache, for we are Specially equipped with the Best hands to getting your Cyber Hack needs met
    We specialize in All type of cyber Jobs such as:
    #TRACKING of GPS location, cars, Computers, Phones (Apple, windows and Android), e.t.c.
    We also track E-mail account, Social media such as Facebook, Twitter, Skype, Whatsapp, e.t.c.
    #RECOVERY of Passwords for E-mail address, Phones, Computers, Social media Accounts, Documents e.t.c,.
    NOTE: we also help Scammed persons recover their money.
    #INSTALLATION of Spy ware so as to spy into someone else’s computer, phone or E-mail address and also Installation of Spy ware software on your individual O.S to know if your Gadget is being hacked into..
    We also Create and Install VIRUS into any desired computer gadget.
    #CRACKING into Websites, CCTV Survelance camera, Data base etc, of both Private and Govt organization, such as Schools, Hospitals, Court houses, The FBI, NSA e.t.c
    NOTE: We specialize in clearing of CRIMINAL RECORDS of diverse types.
    * We assure you that your Job will be attended to with care and efficiency as it will be handled with the Best professional hands in Cyber Hack business.
    #We also have a forum where you can get yourself equipped with Advanced hacking skills
    And if you’re Good with Hacking and you think you can Join our Team of SOPHISTICATED HACKERS, you’re welcome as well…
    CLASSIC CYBER HACKS gives you the Best service in the Hacking world.
    * We’re Classic Hacks *
    Write us on:
    *ALEXGHACKLORD@GMAIL. COM
    Signed,
    Brackett

    ReplyDelete

Subscribe to: Post Comments (Atom)
Copyright © 2013 My Basic Tricks and Salman Rafiq.